Viruses stole City College of S.F. data for years

CITY COLLEGE

Published 4:00 am, Friday, January 13, 2012

Photo: Liz Hafalia, The Chronicle

Image 1of/1

Caption

Close

Image 1 of 1

Line of computers in the computer room at City College of San Francisco in Batmale Hall in San Francisco, Calif., on Thursday, January 12, 2012. A computer virus which has been on the San Francisco City College servers for the past 10 years may have had the personal information of 40k to 100k students and faculty compromised. less

Line of computers in the computer room at City College of San Francisco in Batmale Hall in San Francisco, Calif., on Thursday, January 12, 2012. A computer virus which has been on the San Francisco City ... more

Photo: Liz Hafalia, The Chronicle

Viruses stole City College of S.F. data for years

1 / 1

Back to Gallery

Personal banking information and other data from perhaps tens of thousands of students, faculty and administrators at City College of San Francisco have been stolen in what is being called "an infestation" of computer viruses with origins in criminal networks in Russia, China and other countries, The Chronicle has learned.

At work for more than a decade, the viruses were detected a few days after Thanksgiving, when the college's data security monitoring service detected an unusual pattern of computer traffic, flagging trouble.

But a closer look revealed a far more nefarious situation, which had been lurking within the college's electronic systems since 1999. For now, it's still going on. So far, no cases of identify theft have been linked to the breach. That may change as the investigation continues, and college officials said they might need to bring in the FBI.

Elementary school in Oakland opens time capsule from 1927San Francisco Chronicle

Brides of March walk through San FranciscoSan Francisco Chronicle

WildCare rescues Western scrub jay from rodent glue trapWildCare

The Regulars: The CarpenterJessica Christian

Massive fire in San Francisco's North BeachDavid Essling

The college's payroll, admissions and accounting systems have yet to be analyzed for the viruses.

"We have to move as quickly as possible," Griffin said. "We don't know yet, but it doesn't mean there hasn't been a serious infection there, as well."

They troll at night

Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran and the United States, Hotchkiss and his team discovered. Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected.

Some of the stolen data is probably innocuous, such as lesson plans. But an analysis shows that students and faculty have used college computers to do their banking, and the viruses have grabbed the information, Hotchkiss said.

Although the extent of what has been transmitted is not yet clear, Hotchkiss said the server with medical information for students and employees appears to be virus-free.

"We may never know the full extent of the damage, and how many lives have been affected by this," Hotchkiss told three college trustees Thursday evening who met to discuss school buildings and technology issues. "These viruses are shining a light on years of (security) neglect."

State law requires that cyber victims be notified when personal information has been stolen, and college officials are trying to determine who needs to be told. The college is analyzing 17 computer systems thought to be at risk.

Russian addresses

Since Nov. 28, college officials have traced at least 723 Internet protocol addresses to the Russian Business Network, "a notorious gang in the business of stealing and selling personal information," Hotchkiss said.

Once known as "the granddaddy of online hosting networks for criminals," the Russian Business Network disbanded around 2008, according to computer security company Symantec of Mountain View. But criminals are still collecting the data - and American college students are often prime victims.

"Unfortunately, penetration into higher education is not uncommon," said Tim Matthews of Symantec's data loss prevention team. "A lot of criminals see students as investments in the future - people with clean credit records who, if they get a college degree, will be high income and a good identity to steal."

He said the criminals often hold onto the information for years as it becomes more valuable.

Little protection

Places like City College of San Francisco, where officials have done little to protect against cyber attacks over the years, are especially vulnerable, Hotchkiss said. He arrived at City College in July 2010, and was astonished to learn how porous its computer systems have been.

"When I found out they hadn't changed passwords in over 10 years, I hit the roof," said the tech expert, who ordered them all changed last summer.

But cash-strapped City College has worse vulnerabilities than that, he said. They include poor network design and old equipment, a "draconian system" for agreeing on new policies - including urgent security issues - and little money for new, virus-resistant technology.

Some college leaders also suffer bouts of technophobia, he said, leading to lax attention to the need for cyber security. Hotchkiss' efforts to secure City College's computer systems have also run up against a competing need: academic freedom.

Shortly before Hotchkiss arrived at City College, a new firewall was installed. Technicians set it up to block pornography sites, which are notorious for transmitting computer viruses.

Then faculty began complaining to Hotchkiss that students needed access to porn sites. For research.

Eventually, given examples of the academic necessity, Hotchkiss had to remove the porn block.

He eventually hired a data security service, USDN of San Francisco, which detected the virus problem.